SlideShare una empresa de Scribd logo

Unisys_AppDefender_Symantec_CFD_0_1_final

Koko Fontana
Koko Fontana
1 de 9
Descargar para leer sin conexión
Unisys Application Defender Security Assessment Client Facing Document Version 0.1 May 11, 2007
Table of Contents Application Defender Security Assessment .............................................................................................................................1 Executive Summary.....................................................................................................................................................................1 Application Defender Overview..................................................................................................................................................1 Assessment Process .....................................................................................................................................................................1 OWASP Comparison ...................................................................................................................................................................1 Areas of Analysis.........................................................................................................................................................................3 Conclusion...................................................................................................................................................................................6 About Unisys ...............................................................................................................................................................................6 About Symantec...........................................................................................................................................................................6
Page 1 Unisys & Symantec Corporation AApppplliiccaattiioonn DDeeffeennddeerr SSeeccuurriittyy AAsssseessssmmeenntt Executive Summary Symantec worked with Unisys to perform a comprehensive security assessment of the Application Defender JBoss/Tomcat web application protection environment. The security assessment focused on validating the protections offered by the Application Defender product, and identifying any potential areas for improvement. During the security assessment Symantec was able to provide recommendations that were used by the Unisys development team to improve the security of Application Defender, resulting in improvements to the product. In April, 2007, the identified vulnerabilities were retested and newly implemented security controls were reviewed with positive results. This document serves to provide a summary of the assessment for Application Defender. The increased security for JBoss and Tomcat applications provided by Application Defender allows customers to deploy applications on many different operating systems with confidence. Application Defender successfully defends Java JBoss and Tomcat applications deployed on ClearPath OS2200 and MCP systems, as well as Microsoft Windows, Unix, and Linux systems. The Application Defender system detects and protects applications from most common web attacks, such as cross site scripting (XSS), SQL injection, and form field variable tampering to reduce the risk of attacks directed at JBoss and Tomcat applications. Additionally, Unisys provides recommendations to their customers to help deploy applications securely and to help understand the potential impacts of insecure coding in J2EE applications. Application Defender Overview Application Defender provides Java based applications a protection system that protects them from common security exposures in real-time while they are deployed on production web servers. Application Defenders integrates seamlessly with web applications developed in the Java JBoss and Tomcat environments. Application Defender provides protection for web security exposures resulting from cross-site scripting, SQL injection, broken authentication and many other web-based attack vectors. Application Defender protection is automatically woven directly into the binary code of the application, without requiring access to the source code. Application Defender has the ability to scale systems utilizing load-balancers or clustered configurations. The performance of protected applications is comparable to performance of applications with equivalent "hand-coded" functionality. Assessment Process Symantec used its proprietary, proven methodology to assess the security protections afforded by Application Defender. For this assessment, the following analytical methods were employed: • Interviews with Unisys personnel • Review of application design and configuration documentation • Review of the security controls implemented in Application Defender, including access control, data validation, session management, cryptography, third party dependencies, and deployment issues • Application penetration testing using open source and Symantec proprietary tools • Comparison of Application Defender security controls to industry standard best practices • Review of the Application Defender product to determine if it successfully defends applications against the OWASP Top Ten Most Critical Web Application Security Vulnerabilities OWASP Comparison As part of the security assessment, Symantec compared the security provided by the Application Defender system to the Open Web Application Security Project (OWASP, www.owasp.org) Top Ten vulnerabilities for web applications. The following analysis focuses on the security of the Application Defender protected environments. The testing was conducted
Page 2 Unisys & Symantec Corporation by deploying applications with known vulnerabilities, then adding Application Defender’s protection capabilities, and testing the applications for vulnerability to web attacks. OWASP Top Ten Vulnerabilities Name Description Application Defender Assessment Unvalidated Input Information from web requests is not validated before being used by a web application. Attackers can use these flaws to attack backend components through a web application. Application Defender successfully thwarted attacks against applications lacking sufficient input validation Broken Access Control Restrictions on what authenticated users are allowed to do are not properly enforced. Attackers can exploit these flaws to access other users' accounts, view sensitive files, or use unauthorized functions. Application Defender successfully defended against exploitation of applications with broken access control mechanisms. Broken Authentication and Session Management Account credentials and session tokens are not properly protected. Attackers that can compromise passwords, keys, session cookies, or other tokens can defeat authentication restrictions and assume other users' identities. Application Defender was resilient to attacks against session identifiers and authentication mechanisms and attempts to exploit these types of weaknesses were fruitless. Cross Site Scripting (XSS) Flaws The web application can be used as a mechanism to transport an attack to an end user's browser. A successful attack can disclose the end user’s session token, attack the local machine, or spoof content to fool the user. Application Defender successfully defended vulnerable applications against cross site scripting attacks, even though the application did not thoroughly sanitize user input. Buffer Overflows Web application components in some languages that do not properly validate input can be crashed and, in some cases, used to take control of a process. These components can include CGI, libraries, drivers, and web application server components. The Java environment tested successfully repelled buffer overflow style attacks. Injection Flaws Web applications pass parameters when they access external systems or the local operating system. If an attacker can embed malicious commands in these parameters, the external system may execute those commands on behalf of the web application. Application Defender stopped the tested injection style attacks despite the defended application having numerous vulnerabilities in this category. Improper Error Handling Error conditions that occur during normal operation are not handled properly. If an attacker can cause errors to occur that the web application does not handle, they can gain detailed system information, deny service, cause security mechanisms to fail, or crash the server. Application Defender can effectively eliminate providing additional information to an intruder. During the course of testing, Symantec consultants were able to work with Unisys to make improvements and recommendations to further strengthen the security of Application Defender error handling mechanisms.
Page 3 Unisys & Symantec Corporation OWASP Top Ten Vulnerabilities Name Description Application Defender Assessment Insecure Storage Web applications frequently use cryptographic functions to protect information and credentials. These functions and the code to integrate them have proven difficult to code properly, frequently resulting in weak protection. This category does not apply to Application Defender functionality. Denial of Service Attackers can consume web application resources to a point where other legitimate users can no longer access or use the application. Attackers can also lock users out of their accounts or even cause the entire application to fail. This category does not apply to Application Defender functionality. Insecure Configuration Management Having a strong server configuration standard is critical to a secure web application. These servers have many configuration options that affect security and are not secure out of the box. This category does not apply to Application Defender functionality. Areas of Analysis During the course of the assessment, several areas were identified as topics for analysis. The Areas of Analysis table lists these topics, describes best security practices, evaluates the implementation of the current environment, and includes recommendations for improving security in each area as warranted. Areas of Analysis Analysis Topic Best Practice Evaluation Recommendation Administration Administration functionality should be isolated from the rest of the application. Only authorized users should be permitted to administer the product or application. Satisfactory. The primary administrative interface to Application Defender is through a client program. It is not possible to administer Application Defender remotely through the web application being protected. Continue this practice.
Page 4 Unisys & Symantec Corporation Areas of Analysis Analysis Topic Best Practice Evaluation Recommendation Application Business Logic The internal business logic should not introduce vulnerabilities as a side effect or directly in order to implement core functionality required by the application. Errors generated by the application should be sufficient to report business logic related errors, but not reveal pertinent information to an attacker about application internals. Fair. If communication with the production server agent is interrupted, then the protection offered by Application Defender is reduced. Stateful security features that protect against forced browsing, session riding, and HTML form field tampering are not applied. This may expose application vulnerabilities to an attacker while the communication interruption exists. This is typically described as a "fail open" scenario because atypical conditions could result in security controls being ignored Consider offering a "fail close" default mode of operation where interruption in Application Defender operation does not result in an unprotected application. Authentication/Authorization Authentication mechanisms should prevent users without credentials from accessing application functionality. Authorization mechanisms should prevent authenticated users from accessing functionality or data without the appropriate privileges. Satisfactory. No authentication mechanisms could be bypassed. Authorization was properly performed. Continue this practice. Communications Security Communication of sensitive information should be encrypted to prevent unauthorized eavesdropping and to ensure data integrity. Satisfactory. Communication between various Application Defender components is sufficiently encrypted using publicly scrutinized encryption algorithms. Continue this practice. Cryptographic Algorithms Encryption mechanisms should utilize publicly scrutinized algorithms in modes that are resistant to known cryptanalysis methods. Satisfactory. Encryption methods utilize triple DES and AES. Continue this practice. Data Validation All user-controlled data should be checked for validity. Bounds checking should be used to prevent buffer overflows and/or variable assignment violations. Syntax checking should be used to prevent data encoding, data injection, and/or format string attacks. Satisfactory. Application Defender successfully validates incoming data to protect insecure applications as well as the App Defender product itself. Symantec consultants were able to remediate a null-byte logging truncation issue during the course of testing to improve this area further. Continue this practice. Deployment Configuration All demonstration applications and sample code should be removed from production systems. Production systems should be deployed with the minimum set of services required for the application to function. File system and database permissions should be used to restrict read and write access to appropriate users. Attempts to access critical data should be audited. Critical or sensitive data should be stored encrypted. Satisfactory. During the course of testing, Symantec consultants were able to identify improvements in the default JBoss installation which occurs with the master server install. Continue this practice.
Page 5 Unisys & Symantec Corporation Areas of Analysis Analysis Topic Best Practice Evaluation Recommendation Error Handling To prevent information leakage, the application should trap error messages that provide detailed system information. Informative error messages detailing file system path information, backend database structures or application business logic can help lead an attacker to system compromise. Satisfactory. During testing, Symantec consultants were able remedy an overly verbose error situation by working with Unisys. An attacker would be able to map out protected functionality and attempt to circumvent security controls based on knowledge gained through errors. This has since been remedied. Continue this practice. Network Level Access Controls Network level filters should be deployed in order to restrict traffic flow to explicitly defined resources. A restrictive ruleset with a default deny policy should be used. N/A. Implementation of network filters depends upon the environment where Application Defender is used. Network layer filters should be implemented as a best-practice consideration to restrict only necessary traffic flow between the various Application Defender components (master, production, and client). N/A Privacy The application should maintain privacy of confidential user data throughout the entire data flow lifecycle. Application should ensure confidential data (such as SSN, passwords or PINs) is not stored in web server or reverse proxy log files or reside in unencrypted form in cookies or browser cache data. Proper authorization has been implemented to ensure application users are not able to view sensitive information pertaining to another application user. Satisfactory. Sensitive information is logged only when debug mode is enabled, which is turned off by default. Continue this practice. Session Management Session management should rely on strong session identifiers that are difficult to predict or guess. Sessions may then be used to enforce application-level access controls. Satisfactory. Attempts to alter session cookies in AppDefender were not successful. Continue this practice. Third-Party Dependencies Any third party dependencies or services that are deployed by default should be heavily audited to ensure that they do not compromise the security of the product or application being supported. Satisfactory. During the testing, the shipping implementations of JBoss provided were found to be vulnerable to known issues. This was fixed by the Unisys development team. Continue this practice.
Page 6 Unisys & Symantec Corporation Conclusion The Unisys Application Defender product is very unique in its functionality. As a security product, it offers an additional layer of protection against most common web vulnerabilities despite application vulnerabilities being present on live sites. It provides real-time notification and defense against attacks that would be successful without its protection. Unisys has taken proactive steps to ensure that customers can deploy their JBoss applications in the most secure environment possible on multiple platforms such as Windows, UNIX, and the ClearPath OS2200. Common web-application vulnerabilities such as cross-site scripting, field tampering, and SQL injection were successfully detected and prevented by Application Defender. This security assessment demonstrates a commitment to continuously enhancing platform security, and Symantec has already performed retests of items discovered during testing with fixes put in place in a very timely fashion by the Unisys development team. In conclusion, Unisys has demonstrated continued commitment to securing its products and customers by conducting third-party security assessments, monitoring relevant security issues, and taking proactive steps towards a more secure environment. About Unisys Unisys is a worldwide information technology services and solutions company. Unisys employees combine expertise in consulting, systems integration, outsourcing, infrastructure and server technology with precision thinking and relentless execution to help clients, in more than 100 countries, quickly and efficiently achieve competitive advantage. For more information, visit www.unisys.com. About Symantec Symantec is the global leader in information security providing a broad range of software, appliances and services designed to help individuals, small and mid-sized businesses, and large enterprises secure and manage their IT infrastructure. Symantec's Norton brand of products is the worldwide leader in consumer security and problem-solving solutions. Headquartered in Cupertino, California, Symantec has operations in more than 35 countries. More information is available at www.symantec.com. Symantec makes this document available for informational purposes only. It may not reflect the most current legal developments, and Symantec does not represent, warrant or guarantee that it is complete, accurate, or up-to-date, nor does Symantec offer any certification or guarantee with respect to the opinions expressed herein. Changing circumstances may change the accuracy of the content herein. The information contained herein is not intended to constitute legal advice nor should it be used as a substitute for specific legal advice from a licensed attorney. This report makes no representations or warranties of any kind regarding the security of the Unisys Clearpath OS2200 server or forward-looking statements regarding the effects of future events. You should not act (or refrain from acting) based upon information herein without obtaining professional advice regarding your particular facts and circumstances. Opinions presented in this document reflect judgment at the time of publication and are subject to change. While every precaution has been taken in the preparation of this document, Symantec assumes no responsibility for errors, omissions, or damages resulting from the use of the information herein.” “Reproduction guidelines: You may make copies of this document unless otherwise noted. If you quote or reference this document, you must appropriately attribute the contents and authorship to Symantec. Symantec and the Symantec logo are trademarks or registered trademarks, in the United States and certain other countries, of Symantec Corporation. Additional company and product names may be trademarks or registered trademarks of the individual companies and are respectfully acknowledged.” Symantec and the Symantec logo are U.S. registered trademarks of Symantec Corporation. Other brands and products are trademarks of their respective holder/s.
For specific country offices and contact numbers, please visit our Web site. For product information in the U.S., call toll-free (800) 745 6054. Symantec Corporation World Headquarters 20330 Stevens Creek Blvd. Cupertino, CA 95014 USA +1 (408) 517 8000 1 (800) 721 3934 www.symantec.com

Recomendados

Web application security I
Web application security IWeb application security I
Web application security IMd Syed Ahamad
 
Vulnerability manager v1.0
Vulnerability manager v1.0Vulnerability manager v1.0
Vulnerability manager v1.0Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
Security by the numbers
Security by the numbersSecurity by the numbers
Security by the numbersEoin Keary
 
Oh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web AppsOh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web AppsTechWell
 
t r
t rt r
t relectronicmingle01
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101Cybersecurity Education and Research Centre
 
OWASP TOP 10 & .NET
OWASP TOP 10 & .NETOWASP TOP 10 & .NET
OWASP TOP 10 & .NETDaniel Krasnokucki
 
Introduction to security testing raj
Introduction to security testing rajIntroduction to security testing raj
Introduction to security testing rajRajakrishnan S, MCA,MBA,MA Phil,PMP,CSM,ISTQB-Test Mgr,ITIL
 

Recomendados

Web application security I
Web application security IWeb application security I
Web application security IMd Syed Ahamad
 
Vulnerability manager v1.0
Vulnerability manager v1.0Vulnerability manager v1.0
Vulnerability manager v1.0Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
Security by the numbers
Security by the numbersSecurity by the numbers
Security by the numbersEoin Keary
 
Oh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web AppsOh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web AppsTechWell
 
t r
t rt r
t relectronicmingle01
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101Cybersecurity Education and Research Centre
 
OWASP TOP 10 & .NET
OWASP TOP 10 & .NETOWASP TOP 10 & .NET
OWASP TOP 10 & .NETDaniel Krasnokucki
 
Introduction to security testing raj
Introduction to security testing rajIntroduction to security testing raj
Introduction to security testing rajRajakrishnan S, MCA,MBA,MA Phil,PMP,CSM,ISTQB-Test Mgr,ITIL
 
Security engineering
Security engineeringSecurity engineering
Security engineeringOWASP Indonesia Chapter
 
Owasp Top 10
Owasp Top 10Owasp Top 10
Owasp Top 10Shivam Porwal
 
Owasp top 10 Vulnerabilities by cyberops infosec
Owasp top 10 Vulnerabilities by cyberops infosecOwasp top 10 Vulnerabilities by cyberops infosec
Owasp top 10 Vulnerabilities by cyberops infosecCyberops Infosec LLP
 
OWASP Khartoum - Top 10 A6 - 8th meeting - Security Misconfiguration
OWASP Khartoum - Top 10 A6 - 8th meeting - Security MisconfigurationOWASP Khartoum - Top 10 A6 - 8th meeting - Security Misconfiguration
OWASP Khartoum - Top 10 A6 - 8th meeting - Security MisconfigurationOWASP Khartoum
 
Explore Security Testing
Explore Security TestingExplore Security Testing
Explore Security Testingshwetaupadhyay
 
Security-testing presentation
Security-testing presentationSecurity-testing presentation
Security-testing presentationEzhilan Elangovan (Eril)
 
Social Enterprise Rises! …and so are the Risks - DefCamp 2012
Social Enterprise Rises! …and so are the Risks - DefCamp 2012Social Enterprise Rises! …and so are the Risks - DefCamp 2012
Social Enterprise Rises! …and so are the Risks - DefCamp 2012DefCamp
 
Mobile application security Guidelines
Mobile application security GuidelinesMobile application security Guidelines
Mobile application security GuidelinesEntersoft Security
 
Top Security Threats for .NET Developers
Top Security Threats for .NET DevelopersTop Security Threats for .NET Developers
Top Security Threats for .NET DevelopersMikhail Shcherbakov
 
Vulnerability scanning project
Vulnerability scanning projectVulnerability scanning project
Vulnerability scanning projectChirag Dhamecha
 
Electronic health records
Electronic health recordsElectronic health records
Electronic health recordsAnurag Deb
 
A Review Report on Security Threats on Database
A Review Report on Security Threats on DatabaseA Review Report on Security Threats on Database
A Review Report on Security Threats on DatabaseShivnandan Singh
 
Application Security
Application SecurityApplication Security
Application SecurityReggie Niccolo Santos
 
The Complete Web Application Security Testing Checklist
The Complete Web Application Security Testing ChecklistThe Complete Web Application Security Testing Checklist
The Complete Web Application Security Testing ChecklistCigital
 
A successful application security program - Envision build and scale
A successful application security program - Envision build and scaleA successful application security program - Envision build and scale
A successful application security program - Envision build and scalePriyanka Aash
 
Application security
Application securityApplication security
Application securityHagar Alaa el-din
 
Introduction to security testing
Introduction to security testingIntroduction to security testing
Introduction to security testingNagasahas DS
 
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksOWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksAndre Van Klaveren
 
Break it while you make it: writing (more) secure software
Break it while you make it: writing (more) secure softwareBreak it while you make it: writing (more) secure software
Break it while you make it: writing (more) secure softwareLeigh Honeywell
 
The Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's ToolboxThe Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's ToolboxCheckmarx
 
Informative speeches 2nd sem rev3 13 12
Informative speeches 2nd sem rev3 13 12Informative speeches 2nd sem rev3 13 12
Informative speeches 2nd sem rev3 13 12Ms. D
 
A Los Adoradores Del Imperio
A Los Adoradores Del ImperioA Los Adoradores Del Imperio
A Los Adoradores Del Imperioguesta88fab
 

Más contenido relacionado

La actualidad más candente

Owasp top 10 Vulnerabilities by cyberops infosec
Owasp top 10 Vulnerabilities by cyberops infosecOwasp top 10 Vulnerabilities by cyberops infosec
Owasp top 10 Vulnerabilities by cyberops infosecCyberops Infosec LLP
 
OWASP Khartoum - Top 10 A6 - 8th meeting - Security Misconfiguration
OWASP Khartoum - Top 10 A6 - 8th meeting - Security MisconfigurationOWASP Khartoum - Top 10 A6 - 8th meeting - Security Misconfiguration
OWASP Khartoum - Top 10 A6 - 8th meeting - Security MisconfigurationOWASP Khartoum
 
Explore Security Testing
Explore Security TestingExplore Security Testing
Explore Security Testingshwetaupadhyay
 
Social Enterprise Rises! …and so are the Risks - DefCamp 2012
Social Enterprise Rises! …and so are the Risks - DefCamp 2012Social Enterprise Rises! …and so are the Risks - DefCamp 2012
Social Enterprise Rises! …and so are the Risks - DefCamp 2012DefCamp
 
Mobile application security Guidelines
Mobile application security GuidelinesMobile application security Guidelines
Mobile application security GuidelinesEntersoft Security
 
Top Security Threats for .NET Developers
Top Security Threats for .NET DevelopersTop Security Threats for .NET Developers
Top Security Threats for .NET DevelopersMikhail Shcherbakov
 
Vulnerability scanning project
Vulnerability scanning projectVulnerability scanning project
Vulnerability scanning projectChirag Dhamecha
 
Electronic health records
Electronic health recordsElectronic health records
Electronic health recordsAnurag Deb
 
A Review Report on Security Threats on Database
A Review Report on Security Threats on DatabaseA Review Report on Security Threats on Database
A Review Report on Security Threats on DatabaseShivnandan Singh
 
The Complete Web Application Security Testing Checklist
The Complete Web Application Security Testing ChecklistThe Complete Web Application Security Testing Checklist
The Complete Web Application Security Testing ChecklistCigital
 
A successful application security program - Envision build and scale
A successful application security program - Envision build and scaleA successful application security program - Envision build and scale
A successful application security program - Envision build and scalePriyanka Aash
 
Introduction to security testing
Introduction to security testingIntroduction to security testing
Introduction to security testingNagasahas DS
 
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksOWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksAndre Van Klaveren
 
Break it while you make it: writing (more) secure software
Break it while you make it: writing (more) secure softwareBreak it while you make it: writing (more) secure software
Break it while you make it: writing (more) secure softwareLeigh Honeywell
 
The Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's ToolboxThe Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's ToolboxCheckmarx
 

La actualidad más candente (20)

Security engineering
Security engineeringSecurity engineering
Security engineering
 
Owasp Top 10
Owasp Top 10Owasp Top 10
Owasp Top 10
 
Owasp top 10 Vulnerabilities by cyberops infosec
Owasp top 10 Vulnerabilities by cyberops infosecOwasp top 10 Vulnerabilities by cyberops infosec
Owasp top 10 Vulnerabilities by cyberops infosec
 
OWASP Khartoum - Top 10 A6 - 8th meeting - Security Misconfiguration
OWASP Khartoum - Top 10 A6 - 8th meeting - Security MisconfigurationOWASP Khartoum - Top 10 A6 - 8th meeting - Security Misconfiguration
OWASP Khartoum - Top 10 A6 - 8th meeting - Security Misconfiguration
 
Explore Security Testing
Explore Security TestingExplore Security Testing
Explore Security Testing
 
Security-testing presentation
Security-testing presentationSecurity-testing presentation
Security-testing presentation
 
Social Enterprise Rises! …and so are the Risks - DefCamp 2012
Social Enterprise Rises! …and so are the Risks - DefCamp 2012Social Enterprise Rises! …and so are the Risks - DefCamp 2012
Social Enterprise Rises! …and so are the Risks - DefCamp 2012
 
Mobile application security Guidelines
Mobile application security GuidelinesMobile application security Guidelines
Mobile application security Guidelines
 
Top Security Threats for .NET Developers
Top Security Threats for .NET DevelopersTop Security Threats for .NET Developers
Top Security Threats for .NET Developers
 
Vulnerability scanning project
Vulnerability scanning projectVulnerability scanning project
Vulnerability scanning project
 
Electronic health records
Electronic health recordsElectronic health records
Electronic health records
 
A Review Report on Security Threats on Database
A Review Report on Security Threats on DatabaseA Review Report on Security Threats on Database
A Review Report on Security Threats on Database
 
Application Security
Application SecurityApplication Security
Application Security
 
The Complete Web Application Security Testing Checklist
The Complete Web Application Security Testing ChecklistThe Complete Web Application Security Testing Checklist
The Complete Web Application Security Testing Checklist
 
A successful application security program - Envision build and scale
A successful application security program - Envision build and scaleA successful application security program - Envision build and scale
A successful application security program - Envision build and scale
 
Application security
Application securityApplication security
Application security
 
Introduction to security testing
Introduction to security testingIntroduction to security testing
Introduction to security testing
 
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksOWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
 
Break it while you make it: writing (more) secure software
Break it while you make it: writing (more) secure softwareBreak it while you make it: writing (more) secure software
Break it while you make it: writing (more) secure software
 
The Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's ToolboxThe Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's Toolbox
 

Destacado

Informative speeches 2nd sem rev3 13 12
Informative speeches 2nd sem rev3 13 12Informative speeches 2nd sem rev3 13 12
Informative speeches 2nd sem rev3 13 12Ms. D
 
A Los Adoradores Del Imperio
A Los Adoradores Del ImperioA Los Adoradores Del Imperio
A Los Adoradores Del Imperioguesta88fab
 
Lo jfamouspeople
Lo jfamouspeopleLo jfamouspeople
Lo jfamouspeopleMs. D
 
Using Scientific Method in SEO
Using Scientific Method in SEOUsing Scientific Method in SEO
Using Scientific Method in SEOBranko Rihtman
 
Branko Rihtman Linklove London 2012
Branko Rihtman Linklove London 2012 Branko Rihtman Linklove London 2012
Branko Rihtman Linklove London 2012 Branko Rihtman
 

Destacado (6)

Informative speeches 2nd sem rev3 13 12
Informative speeches 2nd sem rev3 13 12Informative speeches 2nd sem rev3 13 12
Informative speeches 2nd sem rev3 13 12
 
A Los Adoradores Del Imperio
A Los Adoradores Del ImperioA Los Adoradores Del Imperio
A Los Adoradores Del Imperio
 
Lo jfamouspeople
Lo jfamouspeopleLo jfamouspeople
Lo jfamouspeople
 
Using Scientific Method in SEO
Using Scientific Method in SEOUsing Scientific Method in SEO
Using Scientific Method in SEO
 
SphinnCon Israel 2008
SphinnCon Israel 2008SphinnCon Israel 2008
SphinnCon Israel 2008
 
Branko Rihtman Linklove London 2012
Branko Rihtman Linklove London 2012 Branko Rihtman Linklove London 2012
Branko Rihtman Linklove London 2012
 

Similar a Unisys_AppDefender_Symantec_CFD_0_1_final

Security Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdfSecurity Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdfAmeliaJonas2
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration Tariq Islam
 
Introduction All research reports begin with an introduction. (.docx
Introduction All research reports begin with an introduction. (.docxIntroduction All research reports begin with an introduction. (.docx
Introduction All research reports begin with an introduction. (.docxvrickens
 
Demand for Penetration Testing Services.docx
Demand for Penetration Testing Services.docxDemand for Penetration Testing Services.docx
Demand for Penetration Testing Services.docxAardwolf Security
 
Thick Client Penetration Testing Modern Approaches and Techniques.pdf
Thick Client Penetration Testing Modern Approaches and Techniques.pdfThick Client Penetration Testing Modern Approaches and Techniques.pdf
Thick Client Penetration Testing Modern Approaches and Techniques.pdfElanusTechnologies
 
Application security testing an integrated approach
Application security testing an integrated approachApplication security testing an integrated approach
Application security testing an integrated approachIdexcel Technologies
 
Why Penetration Tests Are Important Cyber51
Why Penetration Tests Are Important Cyber51Why Penetration Tests Are Important Cyber51
Why Penetration Tests Are Important Cyber51martinvoelk
 
Strategies for Effective Cybersecurity in Web Development pdf.pdf
Strategies for Effective Cybersecurity in Web Development pdf.pdfStrategies for Effective Cybersecurity in Web Development pdf.pdf
Strategies for Effective Cybersecurity in Web Development pdf.pdfLondonAtil1
 
Identifying and Eradicating Web Application Vulnerabilities : Cyber Security ...
Identifying and Eradicating Web Application Vulnerabilities : Cyber Security ...Identifying and Eradicating Web Application Vulnerabilities : Cyber Security ...
Identifying and Eradicating Web Application Vulnerabilities : Cyber Security ...Boston Institute of Analytics
 
OWASP Secure Coding Quick Reference Guide
OWASP Secure Coding Quick Reference GuideOWASP Secure Coding Quick Reference Guide
OWASP Secure Coding Quick Reference GuideAryan G
 
mastering_web_testing_how_to_make_the_most_of_frameworks.pdf
mastering_web_testing_how_to_make_the_most_of_frameworks.pdfmastering_web_testing_how_to_make_the_most_of_frameworks.pdf
mastering_web_testing_how_to_make_the_most_of_frameworks.pdfsarah david
 
Appsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martinAppsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martindrewz lin
 
7 measures to overcome cyber attacks of web application
7 measures to overcome cyber attacks of web application7 measures to overcome cyber attacks of web application
7 measures to overcome cyber attacks of web applicationTestingXperts
 
Core defense mechanisms against security attacks on web applications
Core defense mechanisms against security attacks on web applicationsCore defense mechanisms against security attacks on web applications
Core defense mechanisms against security attacks on web applicationsKaran Nagrecha
 
Best Security Practices for Web Application Development.pdf
Best Security Practices for Web Application Development.pdfBest Security Practices for Web Application Development.pdf
Best Security Practices for Web Application Development.pdfDigital Auxilio Technologies
 

Similar a Unisys_AppDefender_Symantec_CFD_0_1_final (20)

C01461422
C01461422C01461422
C01461422
 
Security Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdfSecurity Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdf
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration
 
Introduction All research reports begin with an introduction. (.docx
Introduction All research reports begin with an introduction. (.docxIntroduction All research reports begin with an introduction. (.docx
Introduction All research reports begin with an introduction. (.docx
 
Owasp web security
Owasp web securityOwasp web security
Owasp web security
 
Demand for Penetration Testing Services.docx
Demand for Penetration Testing Services.docxDemand for Penetration Testing Services.docx
Demand for Penetration Testing Services.docx
 
Thick Client Penetration Testing Modern Approaches and Techniques.pdf
Thick Client Penetration Testing Modern Approaches and Techniques.pdfThick Client Penetration Testing Modern Approaches and Techniques.pdf
Thick Client Penetration Testing Modern Approaches and Techniques.pdf
 
Application security testing an integrated approach
Application security testing an integrated approachApplication security testing an integrated approach
Application security testing an integrated approach
 
Why Penetration Tests Are Important Cyber51
Why Penetration Tests Are Important Cyber51Why Penetration Tests Are Important Cyber51
Why Penetration Tests Are Important Cyber51
 
Strategies for Effective Cybersecurity in Web Development pdf.pdf
Strategies for Effective Cybersecurity in Web Development pdf.pdfStrategies for Effective Cybersecurity in Web Development pdf.pdf
Strategies for Effective Cybersecurity in Web Development pdf.pdf
 
Identifying and Eradicating Web Application Vulnerabilities : Cyber Security ...
Identifying and Eradicating Web Application Vulnerabilities : Cyber Security ...Identifying and Eradicating Web Application Vulnerabilities : Cyber Security ...
Identifying and Eradicating Web Application Vulnerabilities : Cyber Security ...
 
OWASP Secure Coding Quick Reference Guide
OWASP Secure Coding Quick Reference GuideOWASP Secure Coding Quick Reference Guide
OWASP Secure Coding Quick Reference Guide
 
mastering_web_testing_how_to_make_the_most_of_frameworks.pdf
mastering_web_testing_how_to_make_the_most_of_frameworks.pdfmastering_web_testing_how_to_make_the_most_of_frameworks.pdf
mastering_web_testing_how_to_make_the_most_of_frameworks.pdf
 
Appsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martinAppsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martin
 
T04505103106
T04505103106T04505103106
T04505103106
 
7 measures to overcome cyber attacks of web application
7 measures to overcome cyber attacks of web application7 measures to overcome cyber attacks of web application
7 measures to overcome cyber attacks of web application
 
Core defense mechanisms against security attacks on web applications
Core defense mechanisms against security attacks on web applicationsCore defense mechanisms against security attacks on web applications
Core defense mechanisms against security attacks on web applications
 
Mobile Apps Security Testing -1
Mobile Apps Security Testing -1Mobile Apps Security Testing -1
Mobile Apps Security Testing -1
 
Web Application Security Services in India | Senselearner
Web Application Security Services in India | SenselearnerWeb Application Security Services in India | Senselearner
Web Application Security Services in India | Senselearner
 
Best Security Practices for Web Application Development.pdf
Best Security Practices for Web Application Development.pdfBest Security Practices for Web Application Development.pdf
Best Security Practices for Web Application Development.pdf
 

Unisys_AppDefender_Symantec_CFD_0_1_final

  • 1. Unisys Application Defender Security Assessment Client Facing Document Version 0.1 May 11, 2007
  • 2. Table of Contents Application Defender Security Assessment .............................................................................................................................1 Executive Summary.....................................................................................................................................................................1 Application Defender Overview..................................................................................................................................................1 Assessment Process .....................................................................................................................................................................1 OWASP Comparison ...................................................................................................................................................................1 Areas of Analysis.........................................................................................................................................................................3 Conclusion...................................................................................................................................................................................6 About Unisys ...............................................................................................................................................................................6 About Symantec...........................................................................................................................................................................6
  • 3. Page 1 Unisys & Symantec Corporation AApppplliiccaattiioonn DDeeffeennddeerr SSeeccuurriittyy AAsssseessssmmeenntt Executive Summary Symantec worked with Unisys to perform a comprehensive security assessment of the Application Defender JBoss/Tomcat web application protection environment. The security assessment focused on validating the protections offered by the Application Defender product, and identifying any potential areas for improvement. During the security assessment Symantec was able to provide recommendations that were used by the Unisys development team to improve the security of Application Defender, resulting in improvements to the product. In April, 2007, the identified vulnerabilities were retested and newly implemented security controls were reviewed with positive results. This document serves to provide a summary of the assessment for Application Defender. The increased security for JBoss and Tomcat applications provided by Application Defender allows customers to deploy applications on many different operating systems with confidence. Application Defender successfully defends Java JBoss and Tomcat applications deployed on ClearPath OS2200 and MCP systems, as well as Microsoft Windows, Unix, and Linux systems. The Application Defender system detects and protects applications from most common web attacks, such as cross site scripting (XSS), SQL injection, and form field variable tampering to reduce the risk of attacks directed at JBoss and Tomcat applications. Additionally, Unisys provides recommendations to their customers to help deploy applications securely and to help understand the potential impacts of insecure coding in J2EE applications. Application Defender Overview Application Defender provides Java based applications a protection system that protects them from common security exposures in real-time while they are deployed on production web servers. Application Defenders integrates seamlessly with web applications developed in the Java JBoss and Tomcat environments. Application Defender provides protection for web security exposures resulting from cross-site scripting, SQL injection, broken authentication and many other web-based attack vectors. Application Defender protection is automatically woven directly into the binary code of the application, without requiring access to the source code. Application Defender has the ability to scale systems utilizing load-balancers or clustered configurations. The performance of protected applications is comparable to performance of applications with equivalent "hand-coded" functionality. Assessment Process Symantec used its proprietary, proven methodology to assess the security protections afforded by Application Defender. For this assessment, the following analytical methods were employed: • Interviews with Unisys personnel • Review of application design and configuration documentation • Review of the security controls implemented in Application Defender, including access control, data validation, session management, cryptography, third party dependencies, and deployment issues • Application penetration testing using open source and Symantec proprietary tools • Comparison of Application Defender security controls to industry standard best practices • Review of the Application Defender product to determine if it successfully defends applications against the OWASP Top Ten Most Critical Web Application Security Vulnerabilities OWASP Comparison As part of the security assessment, Symantec compared the security provided by the Application Defender system to the Open Web Application Security Project (OWASP, www.owasp.org) Top Ten vulnerabilities for web applications. The following analysis focuses on the security of the Application Defender protected environments. The testing was conducted
  • 4. Page 2 Unisys & Symantec Corporation by deploying applications with known vulnerabilities, then adding Application Defender’s protection capabilities, and testing the applications for vulnerability to web attacks. OWASP Top Ten Vulnerabilities Name Description Application Defender Assessment Unvalidated Input Information from web requests is not validated before being used by a web application. Attackers can use these flaws to attack backend components through a web application. Application Defender successfully thwarted attacks against applications lacking sufficient input validation Broken Access Control Restrictions on what authenticated users are allowed to do are not properly enforced. Attackers can exploit these flaws to access other users' accounts, view sensitive files, or use unauthorized functions. Application Defender successfully defended against exploitation of applications with broken access control mechanisms. Broken Authentication and Session Management Account credentials and session tokens are not properly protected. Attackers that can compromise passwords, keys, session cookies, or other tokens can defeat authentication restrictions and assume other users' identities. Application Defender was resilient to attacks against session identifiers and authentication mechanisms and attempts to exploit these types of weaknesses were fruitless. Cross Site Scripting (XSS) Flaws The web application can be used as a mechanism to transport an attack to an end user's browser. A successful attack can disclose the end user’s session token, attack the local machine, or spoof content to fool the user. Application Defender successfully defended vulnerable applications against cross site scripting attacks, even though the application did not thoroughly sanitize user input. Buffer Overflows Web application components in some languages that do not properly validate input can be crashed and, in some cases, used to take control of a process. These components can include CGI, libraries, drivers, and web application server components. The Java environment tested successfully repelled buffer overflow style attacks. Injection Flaws Web applications pass parameters when they access external systems or the local operating system. If an attacker can embed malicious commands in these parameters, the external system may execute those commands on behalf of the web application. Application Defender stopped the tested injection style attacks despite the defended application having numerous vulnerabilities in this category. Improper Error Handling Error conditions that occur during normal operation are not handled properly. If an attacker can cause errors to occur that the web application does not handle, they can gain detailed system information, deny service, cause security mechanisms to fail, or crash the server. Application Defender can effectively eliminate providing additional information to an intruder. During the course of testing, Symantec consultants were able to work with Unisys to make improvements and recommendations to further strengthen the security of Application Defender error handling mechanisms.
  • 5. Page 3 Unisys & Symantec Corporation OWASP Top Ten Vulnerabilities Name Description Application Defender Assessment Insecure Storage Web applications frequently use cryptographic functions to protect information and credentials. These functions and the code to integrate them have proven difficult to code properly, frequently resulting in weak protection. This category does not apply to Application Defender functionality. Denial of Service Attackers can consume web application resources to a point where other legitimate users can no longer access or use the application. Attackers can also lock users out of their accounts or even cause the entire application to fail. This category does not apply to Application Defender functionality. Insecure Configuration Management Having a strong server configuration standard is critical to a secure web application. These servers have many configuration options that affect security and are not secure out of the box. This category does not apply to Application Defender functionality. Areas of Analysis During the course of the assessment, several areas were identified as topics for analysis. The Areas of Analysis table lists these topics, describes best security practices, evaluates the implementation of the current environment, and includes recommendations for improving security in each area as warranted. Areas of Analysis Analysis Topic Best Practice Evaluation Recommendation Administration Administration functionality should be isolated from the rest of the application. Only authorized users should be permitted to administer the product or application. Satisfactory. The primary administrative interface to Application Defender is through a client program. It is not possible to administer Application Defender remotely through the web application being protected. Continue this practice.
  • 6. Page 4 Unisys & Symantec Corporation Areas of Analysis Analysis Topic Best Practice Evaluation Recommendation Application Business Logic The internal business logic should not introduce vulnerabilities as a side effect or directly in order to implement core functionality required by the application. Errors generated by the application should be sufficient to report business logic related errors, but not reveal pertinent information to an attacker about application internals. Fair. If communication with the production server agent is interrupted, then the protection offered by Application Defender is reduced. Stateful security features that protect against forced browsing, session riding, and HTML form field tampering are not applied. This may expose application vulnerabilities to an attacker while the communication interruption exists. This is typically described as a "fail open" scenario because atypical conditions could result in security controls being ignored Consider offering a "fail close" default mode of operation where interruption in Application Defender operation does not result in an unprotected application. Authentication/Authorization Authentication mechanisms should prevent users without credentials from accessing application functionality. Authorization mechanisms should prevent authenticated users from accessing functionality or data without the appropriate privileges. Satisfactory. No authentication mechanisms could be bypassed. Authorization was properly performed. Continue this practice. Communications Security Communication of sensitive information should be encrypted to prevent unauthorized eavesdropping and to ensure data integrity. Satisfactory. Communication between various Application Defender components is sufficiently encrypted using publicly scrutinized encryption algorithms. Continue this practice. Cryptographic Algorithms Encryption mechanisms should utilize publicly scrutinized algorithms in modes that are resistant to known cryptanalysis methods. Satisfactory. Encryption methods utilize triple DES and AES. Continue this practice. Data Validation All user-controlled data should be checked for validity. Bounds checking should be used to prevent buffer overflows and/or variable assignment violations. Syntax checking should be used to prevent data encoding, data injection, and/or format string attacks. Satisfactory. Application Defender successfully validates incoming data to protect insecure applications as well as the App Defender product itself. Symantec consultants were able to remediate a null-byte logging truncation issue during the course of testing to improve this area further. Continue this practice. Deployment Configuration All demonstration applications and sample code should be removed from production systems. Production systems should be deployed with the minimum set of services required for the application to function. File system and database permissions should be used to restrict read and write access to appropriate users. Attempts to access critical data should be audited. Critical or sensitive data should be stored encrypted. Satisfactory. During the course of testing, Symantec consultants were able to identify improvements in the default JBoss installation which occurs with the master server install. Continue this practice.
  • 7. Page 5 Unisys & Symantec Corporation Areas of Analysis Analysis Topic Best Practice Evaluation Recommendation Error Handling To prevent information leakage, the application should trap error messages that provide detailed system information. Informative error messages detailing file system path information, backend database structures or application business logic can help lead an attacker to system compromise. Satisfactory. During testing, Symantec consultants were able remedy an overly verbose error situation by working with Unisys. An attacker would be able to map out protected functionality and attempt to circumvent security controls based on knowledge gained through errors. This has since been remedied. Continue this practice. Network Level Access Controls Network level filters should be deployed in order to restrict traffic flow to explicitly defined resources. A restrictive ruleset with a default deny policy should be used. N/A. Implementation of network filters depends upon the environment where Application Defender is used. Network layer filters should be implemented as a best-practice consideration to restrict only necessary traffic flow between the various Application Defender components (master, production, and client). N/A Privacy The application should maintain privacy of confidential user data throughout the entire data flow lifecycle. Application should ensure confidential data (such as SSN, passwords or PINs) is not stored in web server or reverse proxy log files or reside in unencrypted form in cookies or browser cache data. Proper authorization has been implemented to ensure application users are not able to view sensitive information pertaining to another application user. Satisfactory. Sensitive information is logged only when debug mode is enabled, which is turned off by default. Continue this practice. Session Management Session management should rely on strong session identifiers that are difficult to predict or guess. Sessions may then be used to enforce application-level access controls. Satisfactory. Attempts to alter session cookies in AppDefender were not successful. Continue this practice. Third-Party Dependencies Any third party dependencies or services that are deployed by default should be heavily audited to ensure that they do not compromise the security of the product or application being supported. Satisfactory. During the testing, the shipping implementations of JBoss provided were found to be vulnerable to known issues. This was fixed by the Unisys development team. Continue this practice.
  • 8. Page 6 Unisys & Symantec Corporation Conclusion The Unisys Application Defender product is very unique in its functionality. As a security product, it offers an additional layer of protection against most common web vulnerabilities despite application vulnerabilities being present on live sites. It provides real-time notification and defense against attacks that would be successful without its protection. Unisys has taken proactive steps to ensure that customers can deploy their JBoss applications in the most secure environment possible on multiple platforms such as Windows, UNIX, and the ClearPath OS2200. Common web-application vulnerabilities such as cross-site scripting, field tampering, and SQL injection were successfully detected and prevented by Application Defender. This security assessment demonstrates a commitment to continuously enhancing platform security, and Symantec has already performed retests of items discovered during testing with fixes put in place in a very timely fashion by the Unisys development team. In conclusion, Unisys has demonstrated continued commitment to securing its products and customers by conducting third-party security assessments, monitoring relevant security issues, and taking proactive steps towards a more secure environment. About Unisys Unisys is a worldwide information technology services and solutions company. Unisys employees combine expertise in consulting, systems integration, outsourcing, infrastructure and server technology with precision thinking and relentless execution to help clients, in more than 100 countries, quickly and efficiently achieve competitive advantage. For more information, visit www.unisys.com. About Symantec Symantec is the global leader in information security providing a broad range of software, appliances and services designed to help individuals, small and mid-sized businesses, and large enterprises secure and manage their IT infrastructure. Symantec's Norton brand of products is the worldwide leader in consumer security and problem-solving solutions. Headquartered in Cupertino, California, Symantec has operations in more than 35 countries. More information is available at www.symantec.com. Symantec makes this document available for informational purposes only. It may not reflect the most current legal developments, and Symantec does not represent, warrant or guarantee that it is complete, accurate, or up-to-date, nor does Symantec offer any certification or guarantee with respect to the opinions expressed herein. Changing circumstances may change the accuracy of the content herein. The information contained herein is not intended to constitute legal advice nor should it be used as a substitute for specific legal advice from a licensed attorney. This report makes no representations or warranties of any kind regarding the security of the Unisys Clearpath OS2200 server or forward-looking statements regarding the effects of future events. You should not act (or refrain from acting) based upon information herein without obtaining professional advice regarding your particular facts and circumstances. Opinions presented in this document reflect judgment at the time of publication and are subject to change. While every precaution has been taken in the preparation of this document, Symantec assumes no responsibility for errors, omissions, or damages resulting from the use of the information herein.” “Reproduction guidelines: You may make copies of this document unless otherwise noted. If you quote or reference this document, you must appropriately attribute the contents and authorship to Symantec. Symantec and the Symantec logo are trademarks or registered trademarks, in the United States and certain other countries, of Symantec Corporation. Additional company and product names may be trademarks or registered trademarks of the individual companies and are respectfully acknowledged.” Symantec and the Symantec logo are U.S. registered trademarks of Symantec Corporation. Other brands and products are trademarks of their respective holder/s.
  • 9. For specific country offices and contact numbers, please visit our Web site. For product information in the U.S., call toll-free (800) 745 6054. Symantec Corporation World Headquarters 20330 Stevens Creek Blvd. Cupertino, CA 95014 USA +1 (408) 517 8000 1 (800) 721 3934 www.symantec.com